Professional Documents
Culture Documents
Contact Person:
Assessment Contributors:
Description of Information:
Availability requirement:
Security Program
Identification of Information Security Officer (III.A - page 4)
Designate an individual to perform the CAMPUS-LEVEL IMPLEMENTATION: The
function of an Information Director, Client Services and Security in ITS is the
designated IS-3 Information Security Officer for UCSC.
Security Officer(s) on each campus.
Security Plan (III.C - page 6)
Define/update the "security objectives" Each organization should have a security plan in place
for confidentiality, integrity, and defining their resources rating/risk
(restricted/confidential/essential) with the appropriate
availability of information resources, level of protection implemented depending on risk. This
describing the potential harm/security plan should include actions taken for mitigation
impact that failure to achieve security appropriate to risk level. Describe your security plan
objectives would have on the and any action/security plans you create resulting from
this or other security reviews.
operations, function, image/reputation,
or ability to protect personal
information.
Education & Security Awareness Training (III.E - page 24)
Conduct appropriate security awareness BACKGROUND: General and restricted data self-
training for faculty, staff, and students. paced security training materials are available online
http://its.ucsc.edu/security_awareness/ and incorporated
into campus new employee orientation and Staff
Training & Development curriculum. Campus
awareness activities occur via email and during
National Cyber Security Awareness Month (October).
Divisional security activities derive from central
communications, local operational needs, and event-
driven responses.
Confidential: Security Sensitive – Not For Public Disclosure Page 2 of 13 2008, 522064281.xls
UNIVERSITY OF CALIFORNIA, SANTA CRUZ
IT SECURITY COMPLIANCE SELF-ASSESSMENT
Confidential: Security Sensitive – Not For Public Disclosure Page 3 of 13 2008, 522064281.xls
UNIVERSITY OF CALIFORNIA, SANTA CRUZ
IT SECURITY COMPLIANCE SELF-ASSESSMENT
Confidential: Security Sensitive – Not For Public Disclosure Page 4 of 13 2008, 522064281.xls
UNIVERSITY OF CALIFORNIA, SANTA CRUZ
IT SECURITY COMPLIANCE SELF-ASSESSMENT
Confidential: Security Sensitive – Not For Public Disclosure Page 5 of 13 2008, 522064281.xls
UNIVERSITY OF CALIFORNIA, SANTA CRUZ
IT SECURITY COMPLIANCE SELF-ASSESSMENT
Security Controls
Confidential: Security Sensitive – Not For Public Disclosure Page 6 of 13 2008, 522064281.xls
UNIVERSITY OF CALIFORNIA, SANTA CRUZ
IT SECURITY COMPLIANCE SELF-ASSESSMENT
* Control access to working sessions QUESTIONS: Is there a session timeout for the
through session timeout mechanisms. - application, including for administrators? Are users
encouraged to implement screensaver locks at the
[Session protection (III.C.2.b.ii)] desktop? Are desktops configured to automatically lock
or go to screensaver after a period of inactivity?
* Control privileged account access QUESTIONS: See "[Workforce] Administrative,"
through defined procedures for above for process for obtaining privileged
access/accounts. Is privileged access and activity
providing privileged accounts and logged? Are logs reviewed periodically? Are they
reviewing activity under privileged reviewed in response to potential security events? Do
account. - [Privileged access individuals have unique access credentials for
(III.C.2.b.iii)] privileged access?
* Backup systems supporting essential BACKGROUND: If the system or service is in the ITS
activities; encrypt data where required Data Center, this information is provided by the ITS
Core Tech Operations group. The Data Center has
to secure backup data. - [Back Up and regular data backups.
Retention (III.C.2.c.ii)]
QUESTIONS: Are backups containing restricted data
stored securely and/or encrypted? For all systems,
including those in the Data Center, is recovery of data
tested? Is data integrity/user functionality
ensured/verified upon recovery or restore? Is a retention
and disposition schedule in place for backups? Also see
"Risk Mitigation Measures," above.
Confidential: Security Sensitive – Not For Public Disclosure Page 7 of 13 2008, 522064281.xls
UNIVERSITY OF CALIFORNIA, SANTA CRUZ
IT SECURITY COMPLIANCE SELF-ASSESSMENT
* Control access to networked devices See "[Workforce] Administrative" and See "[Workforce] Administrative" and See "[Workforce] Administrative" and "Access See "[Workforce] Administrative" and
through authentication measures (e.g. "Access Controls," above "Access Controls," above Controls," above "Access Controls," above
user name/password or better). -
[Access Control Measures (IV.A.)]
* Protect passwords or other See "Encryption," above See "Encryption," above See "Encryption," above See "Encryption," above
authentication tokens while in transit
through the use of encryption. -
[Encrypted Authentication (IV.B.)]
* Control potential security loopholes See "Systems and Application Security," See "Systems and Application Security," above See "Systems and Application Security," above See "Systems and Application Security,"
by maintaining current operating above above
system, application software, and
firmware code on all devices connected
to the network. - [Patch Management
Practices (IV.C.)]
* Protect networked devices against See "Systems and Application Security," See "Systems and Application Security," above See "Systems and Application Security," above See "Systems and Application Security,"
malicious software. - [Malicious above above
Software Protection (IV.D.)]
* Control the use of networked devices QUESTIONS: Are services not necessary for operation
for intended purposes by eliminating disabled, turned off or removed, including ports, relays,
and default accounts?
unnecessary services from devices. -
[Removal of Unnecessary Services
(IV.E.)]
* Control network communications QUESTIONS: Are host-based firewalls enabled and
to/from networked devices through properly configured, where available? What about
network firewalls and Intrusion Detection
host-based firewall software, as System/Intrusion Prevention System?
available. - [Host-based Firewall
Software (IV.F.)]
Confidential: Security Sensitive – Not For Public Disclosure Page 9 of 13 2008, 522064281.xls
UNIVERSITY OF CALIFORNIA, SANTA CRUZ
IT SECURITY COMPLIANCE SELF-ASSESSMENT
Payment Card Industry Data Security If credit card information is stored, processed or
Standard (PCI DSS) transmitted, has the campus PCI Compliance Team
been informed? Is the credit card environment PCI
compliant? http://its.ucsc.edu/security/policies/pci.php
Confidential: Security Sensitive – Not For Public Disclosure Page 10 of 13 2008, 522064281.xls
Maturity Levels
0 Not performed: Complete lack of any recognizable processes. The institution has not even recognized that there is an issue
addressed.
1 Performed Informally:
There is evidence that the institution has recognized that the issues exist and need to be addressed. There are, however, no stan
processes; instead, there are ad hoc approaches that tend to be applied on an individual or case-by-case basis. The overall appr
management is disorganized.
2 Planned and Tracked —Processes have developed to the stage where similar procedures are followed by different people
undertaking the same task. There is no formal training or communication of standard procedures, and responsibility is left to th
individual. There is a high degree of reliance on the knowledge of individuals and, therefore, errors are likely.
3 Well Defined and Communicated —Procedures have been standardized and documented, and communicated through train
mandated that these processes should be followed; however, it is unlikely that deviations will be detected. The procedures them
are not sophisticated but are the formalization of existing practices.
4 Managed and Measurable—Management monitors and measures compliance with procedures and takes action where proc
appear not to be working effectively. Processes are under constant improvement and provide good practice. Automation and to
used in a limited or fragmented way.
5 Continuously Improved —Processes have been refined to a level of good practice, based on the results of continuous impr
and maturity modeling with other enterprises. IT is used in an integrated way to automate the workflow, providing tools to imp
quality and effectiveness, making the enterprise quick to adapt.
Impact Availability SSN